Saturday, October 15, 2011

Local URIs are more equal than others (Part 1)

On Wednesday, Cedric Sodhi asked the WebKit development mailing list why WebKit restricts access to local URIs. This post describes one of the reasons why local URIs are more equal than other URIs. In a future post, we'll revisit this issue when we discuss how local URIs (e.g., file:///Users/abarth/tax2010.pdf) don't really fit cleanly into the web security model.

Although the web platform largely isolates different origins from each other, there are a number of "leaks" whereby one origin can extract information from another origin. For example, browsers let one origin embed images from another origin, leaking information such as the height and width of the images across origins. These leaks are often at the core of security vulnerabilities in the platform.

These same leak exists, of course, between local origins (e.g., those with file URIs) and non-local origins (e.g., those with http or https URIs). What kind of information could a web site extract from your local system using this leak?

On my laptop, I have Skype installed, which means that, on my laptop, the URI below resolves to a PNG image with a particular height and width:

file:///Applications/Skype.app/Contents/Resources/SmallBlackDot.png

If I visit a web site, if the browser doesn't address this leak, the web site could determine whether I have Skype installed by attempting to load that URI as an image. On my laptop, the image element would have a certain well-known height and width, but on a laptop without Skype installed, the browser would fire the error event.

Returning to Cedric's question, why do browser vendors restrict access to local URIs but not to non-local URIs if both have the same information leak? I would prefer to close this leak in both cases, but many web sites embed cross-origin images, e.g. from content delivery networks. If we were adding the <img> tag today, we would probably require servers opt in to cross-origin embedding using the Cross-Origin Resource Sharing protocol.

Fortunately, very few web sites include images (or other resources) from local URIs (especially after we removed the full path from <input type="file">, but that's a story for another time). That means browsers can block all loads of local resources by non-local origins without making users sad, preventing web sites from snooping on your local file system.

339 comments:

" If we were adding the 'img' tag today, we would probably require servers opt in to cross-origin embedding using [the CORS protocol]." Is there an easy way to use CORS for such tasks without inventing a JS DSL? Such a perspective suggests CORS isn't integrated into basic APIs, making productive programming unsecure-by-default even with the fix. I hadn't followed the API support for CORS, so I'm surprised!

Leo, I'm not sure I understand your question. The browser needs to help the web site make a CORS request when loading images. For example, there's no way for a web site to attach the Origin header to a request without help from the browser because we want the Origin header to accurately reflect the origin of the requester.

As to the broader thrust of your question, the default behavior for loading images very likely to remain unchanged (i.e., insecure) because changing the default would likely break every web site.

Pune Escort service - If you are searching for a friendly and beautiful girl to spend some time with do not look farther.Kolkata Escorts - is committed to providing excellent service oriented towards customer satisfaction.Pune Escorts Agency - Our popularity is a product of our honesty, every picture on this website is genuine so we can guarantee Pune EscortsThose kind of girls are basically known as high profile escorts in Pune and they would be very much happy from their profession because they would love to change their life with all that glitter and love. Chennai Escorts Agency - We are among the best chennai escorts serving my elite clientele in and around the city of chennai. The city of Pune is a vast industrial hub and is visited by a large number of people with various purposes in hand,Kolkata Escorts Agency - you will going to find out many girls who became a Escorts in kolkata just for the sake of money. Chennai Escorts - Independent Chennai escorts are known for their credibility and reliability.

Very classy Mumbai independent escort girl name is Dipika kaur. She is very elegant and bold but wants to tell you something important about her she is not a professional escort girl you can get her if you have good luck with you. She is a top class model girl with popular brands.Mumbai Escorts

This is very nice blog and informative. I have searched many sites but was not able to get information same as your site. I really like the ideas and very intersting to read so much and Please Update and i would love to read more from your siteThanks

I am not a shabby quite escort woman.. strive to not ought to meet any low category people, i would like to satisfy my category of type refined men thus thats why I frequently hoping to satisfy a distinguished individual World .High class Pune Female Escorts Call Girls

Hello Adam Barth your Blog is really nice and i read your full article but i want something more information about this article so please can you help me to send more information about this topic thank u so much Greengeeks Coupons

All the best blogs that is very useful for keeping me share the ideas of the future as well this is really what I was looking for, and I am very happy to come here. Thank you very muchearn to die play earn to die earn to die 3Hi! I’ve been reading your blog for a while now and finally got theearn to die 4courage to go ahead and give youu a shout out from earn to die 6 Austin Texas! Just wanted to tell earn to die 5you keep up the fantastic work!my weblogage of war Hi! I’ve been reading your blog for a while now and finally got thehappy wheels

Excellent post! I must thank you for this informative read. I hope you will post again soon. Warehousing of merchandise .While general look the things you ought to utilize little stockpiling zone space stockpiling range compartments to program the aides. Books get to be heavier when pressed 7 or more aides in a crate.Packers And Movers Chennai

Nice to be visiting your blog again, it has been months for me. Well this article that i've been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share.dark souls 3 wikiemojis

The company to clean the tanks in Khamis Mushayt best companies working in this area, which has the superior experience in this area where our work overall cleanliness of the reservoir, whether from home and abroad شركة تنظيف بخميس مشيط The spraying pesticide company in Khamis Mushayt stronger companies working in the field of pesticide spraying and this area is one of the most important things that practiced by many of our valued customers to carry out spraying final and get rid of any kind of dangerous insects شركة رش مبيدات بخميس مشيط Is the company specialized in the field of pest control in Khamis Mushayt big companies and the best of our company absolutely has the optimal solutions and better in order to get effective results and the superb quality of the elimination of all kinds of insects شركة مكافحة حشرات بخميس مشيط

For any help regarding Norton Antivirus you can directly call on Norton Antivirus Phone Number 1800-000-0000 -Toll-Free to get instant solution for your problem in seconds. We will provide you complete satisfaction to your worries.